This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Most CISOs receive a rude awakening when they encounter their first major security issue in the cloud. If they identify a critical vulnerability that requires a patch, they may not have the authorization to tweak the cloud provider's pre-packaged stack. And if the customer does not own the network, there may not be a way to access details that are critical to investigating an incident.
In order to avoid a major security issue in the cloud, CISO’s must have an incident response plan. Here is how to build one:
1. Establish a joint response plan with the cloud provider. If you have not yet moved to the cloud, the most practical first step is to establish a joint response process. Responsibilities and roles should be clearly defined, and contact information for primary and secondary contacts should be exchanged. Obtain a detailed explanation of what triggers the provider's incident response and how the provider will manage different issues.
2. Evaluate the monitoring controls and security measures that are in place in the cloud.For an effective response on security issues related to cloud infrastructure, it is important to understand what kind of monitoring and security measures are in place by the cloud provider and what access you have to those tools. If you find they are insufficient, look for ways you can deploy a supplemental fix.
3. Build a recovery plan. Decide whether recovery will be necessary in the event of a provider outage. Create a recovery plan that defines whether to use an alternate provider or internal assets as well as a procedure to collect and move data.
4. Evaluate forensic tools for cloud infrastructure. Find out what tools are available from the cloud provider or from other sources for conducting forensics in case of an incident. If the incident involves PII information, it might turn into a legal and compliance challenge, so having appropriate tools which can help with forensics and evidence tracking is essential.
Handling an incident in the cloud
Many incident response steps are similar whether you are dealing with the cloud or a local installation. However, there are some additional steps you may need to take in the case of a cloud incident:
- Contact your provider's incident response team immediately, and be aggressive in your communications. If the provider's team cannot be reached, do everything you can on your end to contain the incident, like controlling connections to cloud service and revoking user access to the cloud service in questions.
- If the incident cannot be controlled or contained, prepare to move to an alternate service or set up an internal server.
- The cloud allows you to delay identification and eradication until the crisis has passed. In most cases, you can proceed immediately to restore production services by instantiating a new instance.
Best practices for incident response in the cloud
One critical issue that many enterprises face is the lack of talent possessing the proper skills to manage security. It is difficult to find the right candidates, and if you locate them, you can expect to have ato pay top salaries. By the end of 2024, the Bureau of Labor Statistics expects information security analyst jobs to grow 18%, and salaries are already averaging well into six figures.
However, there are some steps that you can take to bring new employees up to speed quickly or enhance the skills of existing employees:
- Promote collaboration to help junior analysts benefit from the experience of senior analysts. As a bonus, collaborative efforts may reveal duplicate efforts that can be eliminated.
- Create playbooks that prescribe standard procedures for responding to incidents. Naturally, you cannot create a guide for every potential situation, but playbooks can be valuable guides and excellent training materials. Just remember to keep playbooks updated, which is a task that can often be automated.
- Speaking of automation, many tasks can be automated, especially if they are repetitive and routine. Mundane tasks take up an unjustifiable amount of time. Automation can free your staff members for more important tasks.
- Foster situational awareness from both the historical and real-time points of view. An effective analysis of past incidents can help you make better decisions about current incidents.
- Analyze incidents and create a database to help determine the types of problems encountered, the skills needed to address the issue, the frequency of each type of incident, and other facts. Analysis can help you identify vulnerabilities and determine where to bolster security.
Like most security best practices related to cloud applications, incident response is also a shared responsibility. Planning ahead for incident response is critical to make sure you have the right contacts, tools and processes in place. Having an incident response platform that can enable collaboration for internal and external teams, track incident response processes and automate key security tasks, is essential in the time of crisis to contain issues quickly and respond effectively.
For more information, visit www.Demisto.com.